CT's head about to explode....

cisco_trooper · 01-11-2009, 05:51 AM

Access``````````````Access
|````````````````````|
|````````````````````|
|````````````````````|
|````````````````````|
|````````````````````|
6513-1---------------6513-2
|````````````````````|
|````````````````````|
|````````````````````|
|````````````````````|
|````````````````````|
ASA5520-1---DMZ---ASA5520-2
|````````````````````|
|````````````````````|
|````````````````````|
|````````````````````|
|````````````````````|
3825-1---------------3825-2
|````````````````````|
|````````````````````|
|````````````````````|
|````````````````````|
|````````````````````|
ISP1`````````````````ISP2

OK. Here is the topology I think I'm dealing with. Dual ISPs, BGP peered, no problem there. 3825-1, 3825-2, 6513-1, 6513-2 will be iBGP peered, again, no problem there.

Where my head implodes is in the firewall configuration.

The firewalls are supposed to provide redundancy to the network, yada yada you know the story there. This particular network has one and only one DMZ. With one DMZ being attached to two firewalls, I'm really wondering how on earth I'm ever going to make that work...I guess I'm just open to suggestions at this point, but I'm really just wondering how to handle this. If i get a WWW hit on my external IP that is NAT'd to a DMZ address, what is going to happen from there. Both firewalls process the packets and wreak havoc? Grr...probably a little bit of exhaustion talking here but I'd like some feedback nonetheless.... Thanks guys.

`````````` = blank space....

cisco_trooper · 01-11-2009, 06:09 AM

Cisco Systems: ASA Series - ASA 5520 Redundant ISP and Fail over Load balance

Glad I'm not the only one, though formal documentation seems to be a little sparse, which I find to be odd considering the popularity of the idea of having dual everything in enterprise networks...

Oh well, on with my search.

dtlokee · 01-11-2009, 02:09 PM

If it is BGP peered with 2 ISP's then that would lead me to beleive that the network is using a provider independant address space and has their own ASN. The ASA configuration should be active/standby or active/active and doesn't require any confguration to support this. The BGP routing table shouuld decide what ISP to use, not the ASA so I wouldn't use that document on using multiple ISPs.

I don't really understand your diagram.

cisco_trooper · 01-11-2009, 03:28 PM

Quote:

Originally Posted by dtlokee

If it is BGP peered with 2 ISP's then that would lead me to beleive that the network is using a provider independant address space and has their own ASN. The BGP routing table shouuld decide what ISP to use, not the ASA so I wouldn't use that document on using multiple ISPs.

That was exactly my thought when I first started drawing this up a while back. I guess where my head is getting in a bind is when traffic starts getting NAT'd through to the DMZ.

If both firewalls have identical configurations, identical NAT rules, etc, which is the way I'm thinking this is supposed to be implemented, and I hit a web server from an external address 9.9.9.9 that is NAT'd to DMZ address 192.168.10.10, what prevents BOTH firewalls from picking that traffic up if they are both attached to the same DMZ?

I'll try and get a better diagram posted.....

I'm thinking in Active/Standby this is not much of an issue, but what about Active/Active? Hope I'm making some sense here..

cisco_trooper · 01-12-2009, 01:41 AM

PIX/ASA: Active/Active Failover Configuration Example - Cisco Systems

DMZ is not addressed....

dtlokee · 01-12-2009, 01:56 AM

once the failover link is established and one unit is active and one unit is standby you will configure the DM on the active unit the same as the inside or outside interface

int gi0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

int gi0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

int gi0/2
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

That is all there is to it. The active unit will respond to ARP requests and forward packets, the standby unit won't.

cisco_trooper · 01-12-2009, 02:11 AM

Quote:

Originally Posted by dtlokee

once the failover link is established and one unit is active and one unit is standby you will configure the DM on the active unit the same as the inside or outside interface

int gi0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

int gi0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

int gi0/2
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

That is all there is to it. The active unit will respond to ARP requests and forward packets, the standby unit won't.

Bah. I think the lights just went on. Feeling a bit dense now.

Thanks DT, it's always you to clear up my funk.

I'm going to do my best to lab this up, but having only one 5520 in in PRODUCTION I'll probably have to resort to pemu. I'll keep posting here with my results.

cisco_trooper · 01-12-2009, 03:47 PM

According to Cisco and some other forums I've come across it looks like Active/Active and IPSec VPN don't play nice together. Does this mean simply that IPSec VPN will not failover, or that you can't implement it? This is going to be a major point against Active/Active configuration. I have remote users all over the place. In the grand scheme of things remote user sessions will be the last of my worries if a firewall fails, but I do have a problem with not being able to continue using IPSec for my remote access VPNs.....

mikearama · 01-12-2009, 04:58 PM

Quote:

Originally Posted by cisco_trooper

According to Cisco and some other forums I've come across it looks like Active/Active and IPSec VPN don't play nice together. Does this mean simply that IPSec VPN will not failover, or that you can't implement it? This is going to be a major point against Active/Active configuration. I have remote users all over the place. In the grand scheme of things remote user sessions will be the last of my worries if a firewall fails, but I do have a problem with not being able to continue using IPSec for my remote access VPNs.....

That means you can't implement it. If you try to enable IPSec VPN, you'll get an error indicating that the ASA's are in Active/Active. The entire option of IPSec VPN's disappears in Active/Active.

So yeah, that's a huge reason to stick with Active/Standby.

Active/Standy also goes nicely with your dual-homed DMZ setup anyway.

cisco_trooper · 01-12-2009, 05:22 PM

Quote:

Originally Posted by mikearama

That means you can't implement it. If you try to enable IPSec VPN, you'll get an error indicating that the ASA's are in Active/Active. The entire option of IPSec VPN's disappears in Active/Active.

So yeah, that's a huge reason to stick with Active/Standby.

Active/Standy also goes nicely with your dual-homed DMZ setup anyway.

Man, that really sucks. Any technical reason why they can't do this?

dtlokee · 01-12-2009, 10:58 PM

It's nt really an active/active issue, once you put the ASA in multiple context mode you lose VPN.